Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.1.
AnalysisAI
Missing authorization in Automattic WP Job Manager through version 2.4.1 allows unauthenticated remote attackers to modify plugin data through incorrectly configured access control, enabling unauthorized changes to job listings and related content without proper privilege validation. The vulnerability has a low real-world exploitation probability (EPSS 0.02%) despite the network-accessible attack vector, suggesting limited practical exploitability in typical WordPress deployments.
Technical ContextAI
WP Job Manager is a WordPress plugin that manages job listings and applications. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to properly validate user permissions before allowing modifications to protected resources. WordPress plugins commonly expose REST API endpoints or admin actions without sufficient capability checks, allowing any authenticated or unauthenticated user to bypass access control lists. The affected CPE cpe:2.3:a:automattic:wp_job_manager:*:*:*:*:*:*:*:* indicates all versions through 2.4.1 contain this authorization flaw.
RemediationAI
Update WP Job Manager to version 2.4.2 or later as released by Automattic. Site administrators should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate WP Job Manager, and click Update. If auto-updates are not enabled, manual download from wordpress.org/plugins/wp-job-manager/ is available. Interim workaround: restrict REST API access via WordPress security plugins or .htaccess rules limiting access to wp-json/wp-job-manager endpoints if the site does not require public job posting functionality. Patchstack advisory and NVD entry provide additional context at the references listed above.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20330
GHSA-9qfh-84j7-pg32